IETF Logo Mail Archive

Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Wed, 08 July 2015 11:20 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B8B81A89C6 for <gen-art@ietfa.amsl.com>; Wed, 8 Jul 2015 04:20:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2gOO4XkrBolb for <gen-art@ietfa.amsl.com>; Wed, 8 Jul 2015 04:20:57 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D14A1A899B for <gen-art@ietf.org>; Wed, 8 Jul 2015 04:20:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3129; q=dns/txt; s=iport; t=1436354457; x=1437564057; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=T9syyHoVzHM5aI9jysUuppBQ8X6Nq2tq6K63IN0oQzE=; b=gmflJKm9HduDVJApKg4zrbfdOHb4WlaCwF633z+0eorNXvjvrHQnaTQx Y5XGZAXYArfqAzwzx1148Q/RtmUJWpIuQ1I/qeEvfSRPymwwP8+/WRZf+ Z18hDdRhaRbp0uzl98i01D+xdXLzh7EM+hhPLsfoEO8ZPgdVXWxsTelfe Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BeAwB5Bp1V/4gNJK1cDoMEgTQGvUUJh2YCgVM4FAEBAQEBAQGBCoQjAQEBBDo/DAQCAQgRBAEBCxQJBzIUCQgCBAENBQiIJstfAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4tLhDcEGjEHBoMRgRQFlB0BhUeHao8biAgmY4EpHIEVPm8BgUaBBAEBAQ
X-IronPort-AV: E=Sophos;i="5.15,431,1432598400"; d="scan'208";a="13611557"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-1.cisco.com with ESMTP; 08 Jul 2015 11:20:56 +0000
Received: from xhc-rcd-x11.cisco.com (xhc-rcd-x11.cisco.com [173.37.183.85]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t68BKuMN026843 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 8 Jul 2015 11:20:56 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.123]) by xhc-rcd-x11.cisco.com ([173.37.183.85]) with mapi id 14.03.0195.001; Wed, 8 Jul 2015 06:20:56 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Sam Hartman <hartmans@painless-security.com>, Paul Kyzivat <pkyzivat@alum.mit.edu>
Thread-Topic: Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
Thread-Index: AQHQuRoTh973QobLHUixzKs2S2GXkJ3RWdNA
Date: Wed, 08 Jul 2015 11:20:56 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A4788A3B6@xmb-rcd-x10.cisco.com>
References: <20150703040329.26422.22765.idtracker@ietfa.amsl.com> <913383AAA69FF945B8F946018B75898A478836EC@xmb-rcd-x10.cisco.com> <5599A773.40701@alum.mit.edu> <913383AAA69FF945B8F946018B75898A478868AF@xmb-rcd-x10.cisco.com> <559BE75E.9010904@alum.mit.edu> <tslh9pgng78.fsf@mit.edu> <559C1633.10700@alum.mit.edu> <tsla8v7n7nt.fsf@mit.edu> <559C2B63.1060501@alum.mit.edu> <tslpp43las3.fsf@mit.edu>
In-Reply-To: <tslpp43las3.fsf@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.61.200]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/w8ocEriySwSon0aFdfbWhn2WyH4>
Cc: General Area Review Team <gen-art@ietf.org>, "draft-ietf-pcp-authentication.all@tools.ietf.org" <draft-ietf-pcp-authentication.all@tools.ietf.org>
Subject: Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 11:20:59 -0000

I agree with the discussion and propose the following text to address the comments.

NEW:
   If a PCP server resets or loses the PCP SA due to reboot, power
   failure, or any reason then it sends unsolicited ANNOUNCE response as
   explained in section 14.1.3 of [RFC6887] to the PCP client.  Upon
   receiving the ANNOUNCE response with an anomalous Epoch time, PCP
   client deduces that the server may have lost state.  PCP client sends
   re-authentication request to the PCP server to check if the PCP
   server has indeed lost the state or an attacker has sent the ANNOUNCE
   response.  If the response from the PCP server is integrity-protected
   then PCP client discards the re-authentication process and the PCP
   server MUST NOT delete the PCP SA.  If the PCP server responds to the
   re-authentication request with UNKNOWN_SESSION_ID error code then the
   PCP client MUST discard the re-authentication process and initiate
   full EAP authentication with the PCP server as explained in
   Section 3.1.1.  After EAP authentication is successful PCP client
   updates the PCP SA and issues new common PCP requests to recreate any
   lost mapping state.  In a scenario where the PCP server has lost the
   PCP SA but did not inform the PCP client, if the PCP client sends PCP
   request integrity-protected then the PCP server rejects the request
   with UNKNOWN_SESSION_ID error code.  The PCP client then initiates
   full EAP authentication with the PCP server as explained in
   Section 3.1.1 and updates the PCP SA after successful authentication.

   If the PCP client resets or loses the PCP SA due to reboot, power
   failure, or any reason and sends common PCP request then the PCP
   server rejects the request with AUTHENTICATION_REQUIRED error code.
   The PCP client MUST authenticate with the PCP server and after 
   EAP authentication is successful retry  the common PCP request with 
   AUTHENTICATION_TAG option.  The PCP server MUST update the 
   PCP SA after successful EAP authentication.

-Tiru

> -----Original Message-----
> From: Sam Hartman [mailto:hartmans@painless-security.com]
> Sent: Wednesday, July 08, 2015 6:35 AM
> To: Paul Kyzivat
> Cc: Tirumaleswar Reddy (tireddy); draft-ietf-pcp-
> authentication.all@tools.ietf.org; General Area Review Team
> Subject: Re: Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
> 
> Yes.
> At this point I think you and I understand what we're talking about.
> 
> I haven't been involved in this doc in a while.
> I think we need to let Tirumaleswar comment as well as get feedback from the
> rest of the group.
> Some of this may have been discussed in the WG while I was not watching, and
> you and I have been intentionally abstract.
> 
> Unless you and I have both missed something obvious it seems unlikely we'll be
> done with this issue by the telechat.
> 
> I am attending the Prague IETF and would be happy to spend significant cycles
> that week wordsmithing/discussing this issue with PCP folks if we don't clear
> before then.

v2.23.0 | Report a Bug | By Email